Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 13548 invoked by uid 500); 3 Jul 2002 14:16:04 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 13537 invoked from network); 3 Jul 2002 14:16:03 -0000 Received: from mail6.burlee.com (199.93.70.32) by daedalus.apache.org with SMTP; 3 Jul 2002 14:16:03 -0000 Received: from velociraptor.4lane.com [12.34.105.10] by mail6.burlee.com (SMTPD32-6.00) id A724DC80182; Wed, 03 Jul 2002 10:16:04 -0400 Received: from no.name.available by velociraptor.4lane.com via smtpd (for mail6.burlee.com [199.93.70.32]) with SMTP; 3 Jul 2002 14:17:13 UT Subject: Re: Another suexec question From: Lee Fellows To: users@httpd.apache.org In-Reply-To: <1025672145.1547.44.camel@bigtoe.netorbit.com> References: <1025597142.1547.19.camel@bigtoe.netorbit.com> <1025613433.15437.296.camel@lfellows> <1025613790.1548.25.camel@bigtoe.netorbit.com> <1025617019.15437.299.camel@lfellows> <1025617127.1523.37.camel@bigtoe.netorbit.com> <1025618589.15485.318.camel@lfellows> <1025672145.1547.44.camel@bigtoe.netorbit.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2 Date: 03 Jul 2002 10:14:58 -0400 Message-Id: <1025705699.1574.78.camel@lfellows> Mime-Version: 1.0 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Wed, 2002-07-03 at 00:55, blather wrote: > On Tue, 2002-07-02 at 09:03, Lee Fellows wrote: > > On Tue, 2002-07-02 at 09:38, blather wrote: > > > On Tue, 2002-07-02 at 08:36, Lee Fellows wrote: > > > > On Tue, 2002-07-02 at 08:43, blather wrote: > > > > > On Tue, 2002-07-02 at 07:37, Lee Fellows wrote: > > > > > > On Tue, 2002-07-02 at 04:05, blather wrote: > > > > > > > > > > > > > > Configured apache like so: > > > > > > > > > > > > > > > > > > > > > [root@spider apache_1.3.26]# ./configure --enable-module=most > > > > > > > --enable-shared=max --enable-suexec --suexec-docroot=/var/www > > > > > > > --suexec-safepath=/bin:/usr/bin:/usr/local/bin --suexec-caller=nobody > > > > > > > --suexec-logfile=/usr/local/apache/logs/suexec_log --suexec-uidmin=98 > > > > > > > --suexec-gidmin=98 > > > > > > > > > > > > > > > > > > > > > ...and read every document + maillist archive until I'm sick of it. The > > > > > > > program is 755, in /var/www/cgi-bin and owned by owner who wants it > > > > > > > executed, parent dir is 755, apache is running as nobody(99):nobody(99). > > > > > > > I'm out of ideas. One odd thing I did notice is the suexec_log never > > > > > > > got created at install. > > > > > > > > > > > > > > Any help is appreciated. > > > > > > > > > > > > > > --rjm-- > > > > > > > > > > > > > > > > > > > When apache starts, does it report that suexec is enabled? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > > > > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > > > > > > > > > > > > Sorry, yeah it does: > > > > > > > > > > [Tue Jul 2 03:02:43 2002] [notice] caught SIGTERM, shutting down > > > > > [Tue Jul 2 03:02:48 2002] [notice] Apache/1.3.26 (Unix) configured -- > > > > > resuming normal operations > > > > > [Tue Jul 2 03:02:48 2002] [notice] suEXEC mechanism enabled (wrapper: > > > > > /usr/local/apache/bin/suexec) > > > > > [Tue Jul 2 03:02:48 2002] [notice] Accept mutex: sysvsem (Default: > > > > > sysvsem) > > > > > > > > > > --rjm-- > > > > > -- > > > > > "... one of the main causes of the fall of the Roman Empire was that, > > > > > lacking zero, they had no way to indicate successful termination of > > > > > their C > > > > > programs." > > > > > > > > > > > > > > > > > > How do you call the cgi you want suEXEC to run? (What is the url?) > > > > > > > > What do you see in the error_log for a failed request? > > > > > > > > > > It's called by http://192.168.70.10/cgi-bin/path/to/test.cgi. > > > > And access here is controlled via a 'VirtualHost' with User and > > Group set to the correct user and group in the VirtualHost section, > > not the general server section? > > > > > The error > > > log shows the script in question failing ( it does a 'system(cp file > > > testfile)' for permission reasons because the directory is 755 (and the > > > script is running as nobody). > > > > suEXEC is not being invoked. I would suspect because it is not > > being called through a VirtualHost or by a UserDir invocation as > > described in the documentation. > > > > > > > > --rjm-- > > There are no VirtualHost directives for this install. I agree that > suecex isn't being invoked but for the life of me cannot fathom why. I > was under the impression that suexec (from the documentation + related > archive discussion) that if the proggie in question was in the > --suexec-docroot that it was suid/sgid the based on the ownership of > parent directory. > > --rjm-- > From my reading of the documentation suEXEC can only be invoked in a VirtualHost or in User directories. I cannot find anything to suggest that suEXEC would work with suid/sgid programs. From Apache User Manual, suexec.html#usage, suEXEC expressly _will not_ work with suid/sgid programs (item 17 of the suEXEC Security Model). You could define a VirtualHost with the same DocumentRoot and set User/Group to the appropriate user/group, drop the suid/sgid bits from the files, ensure the ownership matches the User/Group in the VirtualHost, and try it then. Or use UserDir. These two avenues appear to be the only ones available for you to use suEXEC. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org